Hi everyone, I'm Liu Yiguang from 360 Technology. I'm the researcher from Unicorn team.
Today my topic is about the public warning system in IoT network.
And my title is warning magnitude 10 earthquake is coming in one minute.
Okay, here is the agenda. First I'm going to introduce you what is the public warning system in IoT network
and what it is used for. Then I'm going to talk about the vulnerability in IoT protocol.
Then I'm going to introduce you how to trigger the vulnerability.
And first thing is to build up a fake base station and then we need to forge the fake warning message.
And in the last part I will talk about the mitigation and the risk of the potential risk of the vulnerability.
Okay, let's talk about what is the public warning system in the IoT network.
The public warning system is used to alert the public to such disasters such as the earthquake, the tsunami,
the nuclear war, and even the zombie outbreak.
In other words, when you receive a warning message on your mobile phone,
it usually means that you are in a big trouble.
You should find a safer place as soon as possible.
There are four kinds of public warning systems all over the world.
And the ETWS, which is the earthquake and the tsunami warning system, is used for Japan.
And the commercial mobile alert service, CMS, is used for the USA.
And the KPS is for South Korea.
And the E-Alert is used for Japan.
And for European countries.
Although there are four kinds of public warning systems,
but they share the same architecture and the common signaling procedure.
Okay, here is an example of the American CMS example.
And this is an air missile alert in Hawaii last year.
Okay, please play the demo.
New reporting.
How did it happen?
That false alarm in Hawaii that led to 38 minutes of terror.
More than a million people warned of an imminent missile attack,
told this is not a drill.
Families huddling in closets.
Parents hiding children in manholes.
ABC's Jim Avila from Honolulu.
The worker blamed for causing 38 minutes of fear and panic
is reassigned after a routine internal test
turned into the nightmare scenario for more than a billion Hawaiians.
A missile may impact on land or sea within minutes.
This is not a drill.
The dire message causing this father to hide his daughter in a manhole.
Families to race into World War II era bunkers.
Tourists to gather in hotel basements.
I had my mom on speakerphone on the mainland.
And I was calling and saying goodbye, you know, to my family.
All starting during a shift change when officials tell ABC News
an employee mistakenly clicked missile alert instead of the test option.
8.07 Saturday morning.
The warning.
This is not a drill.
In just three minutes at 8.10, the command center knows it's a false alarm.
Official word taking an anguishing 38 minutes to come from this room.
Okay, from the video we can learn that even this is a false alarm,
but it can cause the population a huge panic and disruption.
But luckily this is just a mistake of the operator in the network center.
It is not.
It was issued by an attacker.
But we may wonder, is it possible that we can forge the fake warning message
and issue it maliciously to the population?
And the answer is yes.
This is the basic architecture of the public warning system.
And the CBC and the CBE are used for generating the warning message.
And the MME and EMB are used for transmitting the warning message from the network
to the mobile phone users.
And there is a vulnerability in the error interface,
which is the warning message are not encrypted or integrity protected.
They are just transmitted in clear text.
Another vulnerability is that when the mobile phone comes to a new cell,
it doesn't authenticate the authenticity of the cell.
So we can set up a fake base station.
OK, let's see how to trigger the vulnerability.
First we need to set up a fake base station.
The hardware is not very complicated.
We just need an SDR device,
which is used to send the radio frequency signal
and a laptop to run the LTE protocol stack.
The SDR device we use is USRP.
B210.
And the laptop we use is the ThinkPad.
I recommend that you better use the high performance laptop
because the LTE bandwidth is very large.
The LTE protocol we use is an open source LTE platform,
which is the SSLTE.
OK.
At this time we are going to forge the fake warning message.
The warning message is defined in LTE system information block.
There are 13 types of information blocks.
Here I list the 12.
The SIP10 and SIP11 are used for transmitting the ETWS warning message.
They are used for Japan.
And the SIP12 are used to transmit the other three types of warning message.
OK.
Because the...
Though there are four kinds of warning message,
but they share the same architecture,
and the ETWS, which is used for Japan,
is the most complicated.
It has two levels of alert information.
The SIP10 is used for transmitting the first level,
which is the primary notification,
and the SIP11 is used for transmitting the secondary notification.
The PID message is used for
make the mobile phone to receive the warning message as soon as possible.
And the SIP1 is used for scheduling the SIP10 and SIP11.
It's just a control message.
It doesn't contain the warning message.
Here I'm going to talk about the detail about the primary notification.
This is a structure of the SIP10,
which defines the primary notification.
It is a screenshot of the IoT standard specification.
The picture below is the source code we added in the SSLT
to transmit the warning message,
and we perform an AS1 encoding.
Because the SILT doesn't support sending the warning message,
so we have to add the source code.
Okay.
Here is an example of the...
Here is the demo.
This demo is the warning message we forged.
And this is the primary notification.
Let's see the demo.
Please play the demo.
This is the warning message.
Now let's see the demo.
Okay.
Let's see the demo.
This is the primary notification.
It just contains the fixed information.
It cannot customize the content.
The text is just the E-T-S-S.
And it will make a very harsh alarm
with the earthquake reminder well the secondary notification can customize the
content and it is also supported segmentation when the warning message is
too large and and it also supported multiple languages it supported Chinese
and English we can use the GSM 7 for sending the English and use UCS 2 to
send in the Chinese warning message this is the architecture of the SRB 11 which
defines the secondary notification and this and the picture below is the source
code we add in the SSLT to send the secondary notification what's more
because the
the
because the secondary notification can be customized so we could add anything
we want into it if we want send earthquake warning message we can add the
earthquake epic center the magnitude the time and the location into the
warning message to make it more like a real one and we found that when we set
the message identifier to from 0x1102 to
0x1104 the mobile phone would not making a harsh alarm
it will just make very milda fuse we will see the laser in another demo and we
even couldn't make the warning message to send the advertisement it's just
irrelevant with the warning mate KH or a sweet warning message we could add
anything the phishing website and the phishing phone module especially as an
into it. Okay here here is the four fake warning message we have forged. The first
two pictures are the earthquake warning message. We added the earthquake location
time and the magnitude. It said there will be a earthquake in Beijing and
Tianjin. The second picture is the same content which translated into Chinese
with the UCS2 encoding standard. And the last two pictures are not the earthquake
warning message. They are just an emergency warning because we set the
identifier to 0x1104 and we added add the phishing website and the phishing
phone number respectively. Okay here is a demo of the secondary notification. This
is a fake warning message that we and please play the demo.
Okay at this time we can see that the the mobile phone will not make a very harsh alarm with no
earthquake a reminder just a very meadow bells.
All the
The only test we have done before is based on the Google Pixel, but also we have done
many tests on other phones because China doesn't support the PWS.
So our domestic version Android phones like Xiaomi and Huawei doesn't support the public
warning system.
They have removed the function in the operating system.
But our domestic, our China version iPhones will respond to the warning message only under
the test network, whose MCC is 001 and MCNC is 01, they will not respond to the warning
message under the network of the China Mobile, China Unicom or China NET.
So, our China doesn't need to worry about the warning message.
This next I will show you the response of the China version iPhone.
Okay, please play the demo.
Okay, there was a little bit of a delay.
So, it is a China version, but it speaks Japanese, I don't know why.
Okay, here is the conclusion part.
I will talk about the risk and mitigation.
If there is a photo booth stadium, they are full of people and just like this picture.
And at this time, we set up a fake base station and we send out the fake warning message like
the warning.
Magnetic warning.
So, the phone call is not happening.
And we send out the fake warning message to the Q10.
So, here is the phone call.
The Q10 earthquake is coming in one minute.
What will happen?
Because the warning message is a broadcast message, so it can be received by all the
mobile phones users simultaneously.
And all the mobile phones that support the PWS will make a harsh alarm with an earthquake
reminder.
And this may cause the population a huge panic and even a stampede when they try and escape
from their seats.
Uh, okay, let's see what we can do to prevent this, uh, uh, fake
warning message. We could use the, uh, uh, SESMIC, uh, SESMIC,
uh, uh, encryption to protect the warning message. Uh, the
network can use the, uh, private key to append a digital
signature into the, uh, warning message, and the mobile phone
may use the, uh, public key to, uh, authenticate the, uh, to
verify the authenticity of the network. And, and the warning
message, uh, this may prevent the fake warning message, and I
hope our, our public warning message will not, uh, use, use
the clear text anymore. Uh, okay. Uh, here's my talk. Thank
you, and any question?
No? Okay. Thank you.
